CYOD Mobile Policies for Enterprises
Connected device capabilities have changed the way enterprises conduct business. Employees can connect to the company network from virtually anywhere, at any time.
Following the global success of remote work arrangements during the COVID-19 pandemic, some business insiders predict we may be witnessing the near-extinction of the physical office environment altogether.
Whether this evolution will ultimately result in a positive or a negative net gain, in the here and now, enterprises must take a proactive approach to managing connected devices and users. One potential approach is to develop a “choose your own device” policy.
What is a choose your own device (CYOD) policy?
CYOD policies help enterprises govern the often complex network of connected devices by establishing a list of approved devices employees can use.
Importantly, CYOD differs from “BYOD” (bring your own device) in that the employer retains total control over the usage and security of approved devices. BYOD setups typically allow employees to connect their personally-owned and selected devices, which are not subject to the same level of oversight.
By 2024, enterprises will contribute a large percentage of the 18 billion mobile devices connected to networks around the world — a figure that has steadily grown over the past decade. Mobile devices are just a part of the everyday workday for millions of workers, but without a structured policy in place, enterprises are left exposed to a wide range of potential legal, operational and security vulnerabilities.
Similar to other company-wide policies, a CYOD policy ensures that all stakeholders are on the same page when it comes to using devices connected to the network. While device management may seem to fall strictly under the umbrella of IT or your Security Operations Center (SOC), there are other stakeholders who can benefit from a CYOD policy:
— Human resources
— Legal counsel and regulatory compliance officers
— Any division or department with remote or field workers
CYOD pros and cons
Every approach to connected device oversight comes with potential pros and cons. For example, BYOD policies may be more affordable, but can expose enterprises to security vulnerabilities. COPE (corporate-owned, personally-enabled) approaches can be financially burdensome, but give companies a tighter handle on security issues. Going without a policy altogether is strictly a con, however.
Human resources considerations
From a human resources perspective, CYOD policies can provide helpful guidance for employee expectations and provide a framework for device usage oversight. There are several key areas to consider in terms of employee management:
— Disciplinary guidelines for employee misuse or negligence
— Training protocols (from onboarding to ongoing training as the policy evolves)
— Financial matters — who pays for hardware, software, apps, service, and so on
— Access control issues by employee role
A CYOD policy should be able to stand on its own, but ideally, it should inform overlapping policies throughout the enterprise. In particular, every policy on file related to mobile device usage must reflect the most current CYOD policy. Employee handbooks should include CYOD guidelines, as well.
While some CYOD policy components are up to the discretion of enterprises, others are compulsory. CYOD policies must address related state and federal laws and regulations.
Matt Diaz, a Dinsmore and Shohl data privacy attorney, cautions enterprises to look carefully at several issues with potential legal ramifications and to consult with legal counsel to safely navigate employment risks.
One particularly complex area is labor and employment law. When employees connect devices from the CYOD list to the corporate network, employers need to plan for how to provide oversight on several fronts. “Just within this one category, issues abound,” Diaz says. “Employers need to consider wage and hour, reimbursement and inadvertent disclosure issues.”
Diaz says state laws come into play, as well. “In California, for example, case law suggests that employers must reimburse employee expenses for using their personal mobile phones for business purposes,” he says.
Enterprise CYOD is gaining relevance
As mobile device usage among employees becomes entrenched in day-to-day business activity, enterprises seem to be increasingly adopting CYOD policies.
According to research conducted in 2016 by International Data Corporation (IDC), 74 percent of the 700 IT decision-makers surveyed said their organizations offered or planned to offer CYOD programs, often as a replacement for BYOD policies. A primary concern of BYOD centers on security.
BYOD policies have led to data leakage, unauthorized network access, and issues with so-called shadow apps — employees downloading unsafe, unauthorized apps and content. CYOD policies grant enterprises a great deal more control over the devices employees use to connect to their networks.
A CYOD approach empowers IT and SOC teams to limit access to specific apps and functions and to administer security updates from a centralized standpoint, rather than passing those duties on to users, who may not follow through. This is an advantage over BYOD policies, which, IDC reports, “are both difficult to manage and to secure,” according to IT decision-makers.
Employee work-life concerns
According to a variety of research studies, employees who conduct some or all of their work from connected devices tend to have a complicated viewpoint.
On one hand, employees love the convenience of being able to access the company network from anywhere — it sure beats commuting to the office to take care of a quick task. On the other, connected devices can lead to situations where employees feel they are “always on.” The line between work and home can become quite blurred.
Enterprises may want to take a step back and consider what they hope to ultimately achieve through their CYOD policy. In some cases, just because a manager can access team members at any time, it doesn’t mean they should.
Developing a set of best practices for management on this front can go a long way toward fostering a work culture that respects autonomy and the importance of a healthy balance between home and work.
Robust CYOD policies empower enterprises to make the most of modern, connected operations approaches while protecting proprietary and personal data, staying in compliance with legal regulations and contributing to a satisfactory work environment.
Before you start drafting your policy, be sure to engage all the relevant stakeholders. Carefully considering what you hope to gain from a connected work environment will help guide you toward good policy-making.